Russia hacked lightweight FBI radios

[blantonl]

My understanding is the other items potentially part of this equation was “PTT Cellular” which would translate to Nextel. Nextel PTT wasn’t encrypted and could easily be intercepted with a service monitor.

Edit: I don't believe that Nextel PTT exists anymore... but I'm not sure.

2nd Edit: Combine PTT cellular interception where they *could* most likely monitor and you've added another collection piece to the picture which would have given the Russians an enormous amount of info. The presence of encrypted AES-256 communications local to an area would indicate communications of enormous sensitivity occurring close by. If there were mediums used in the same area that could actually be monitored they could add that to the overall amount of collection info. Even innocuous communications that were intercepted that were not necessarily Top Secret or of national security concern would be extremely valuable to the Russians given the context.

 

[kayn1n32008]

Investigation into senior RCMP official stemmed from disruption of encrypted phone service: sources - senior RCMP officer arrested for trying to sell secrets via an encrypted criminal cellular Email system

Strange - "encryption" bursts into the international criminal news twice in one week

That story is much more detailed than the one I read.

Not good, not good at all. A highly placed Individual such as him will likely have serious repercussions for years to come.

 

[blantonl]

That story is much more detailed than the one I read.

Not good, not good at all. A highly placed Individual such as him will likely have serious repercussions for years to come.

This story and issue you linked to has nothing to do with the FBI communications news story.

 

[RayAir]

Did Russian spies in the U.S. crack the FBI's radio codes?

 

[Giddyuptd]

Nothing surprises me anymore.

I've seen locals in high ends feeling entitled to have encryption in their desk radios with impersonation feeling of authority having encrypted portables hearing stuff they shouldn't such as community commissions, managers, municipal attorneys hearing it all and sensitive information they shouldn't be privileged to.

So to a point in some places the use of it is a joke.

 

[com501]

Social intelligence is easily the best way to get to AES keys. This is why background gets on us who have TS and above are re-examined frequently and known contacts and social postings are routinely scrutinized.

All it would take is an agent making friends with a key holder or access to keys and a little subtle or not so subtle bribery to turn a resource if they are not resistant. Sexual bribery and fear of being caught works a lot of the time.

Anything below AES256 is quite easily compromised these days with a little work. There is no excuse for laziness on the part of US secrets holders. If located, these individuals should be fired.

 

[kayn1n32008]

This story and issue you linked to has nothing to do with the FBI communications news story.

I did not link the article in the thread. Someone else did and I responded to them.

 

[kayn1n32008]

Anything below AES256 is quite easily compromised these days with a little work. There is no excuse for laziness on the part of US secrets holders. If located, these individuals should be fired.

And yet people think ADP will keep people from listening. An inferior cipher to DES with a smaller key-space. Keeps scanners out, but it’s welfare.

 

[freqhopping]

FBI has used analog and P25 via repeaters in the DC area. Sometimes even in the clear. They still use P25 on repeaters in addition to the IWN system which I first heard used for surveillance in 2014, yeah in the clear too.
I've also caught one of their body mics on clear analog simplex. Their OPSEC and COMSEC are s***.

 

[geoffb1723]

It's more complicated than it appears, suggest reading Matt Blaze's excellent paper on issues with P25 encryption, covering both technical and social issues, the difficulty of deployment, protocol design, radio UI problems and so on. Very well done.. Matt Blaze: Why (special agent) Johnny (still) Can't Encrypt

 

[com501]

And yet people think ADP will keep people from listening. An inferior cipher to DES with a smaller key-space. Keeps scanners out, but it’s welfare.

ADP keeps scanner users from listening. That is what it is good for.

 

[danesgs]

Heavy...Hope the FBI, DEA and other folks get a sub to RR sometime soon, we should be required reading for their technical folks based on what I read here

 

[geoffb1723]

Yes, OPSEC is it. Trying to explain technically about key spaces, key length/symbol set complexity -> key entropy, key rotation violation and crypto leverage (ie 1 key affecting N(key)^M(bulk) data) is hopeless (not their fault !!). It's really a social DNA problem of any org, in that you CAN'T expect individuals in the org to understand crypto math and protocols, that's why the OPSEC sec guys remind people every month of what to do in human terms (gimme your device so I can rekey it) (do they ?). "Did you switch your OTA re-key key recently, did you switch your KSP KSK key recently ? where's/who's got your crypto ignition key ?" etc. But if you look at something like a KG-250 goober etc, they do it differently, it's all managed/keyed remotely by SAIC in San Diego, you have no (ok a small, if you hook them up to a red net router/net) choice of a possibility of opsec messes. Agree totally, the tiniest issue and the whole thing comes crashing down.. It's not fair to expect a guy in the field to understand g^^x (mod p) -1 , ie public key auth (DH) /or any algorithm or key for crypto (or any other scheme, I use this as an example.) For me, the biggest issue is that PS radio systems NEVER change keys (Ok, OTA rekey maybe, cough !) as it's an admin (social org ) hassle, think about it.. re-key 20K-100K radios across the org or USA and now Fred from Moline is calling in "I can't hear anyone!" Bottom line, crypto mgmt and OPSEC is WAY more important than any algorithm and is a HARD problem. I don't blame these poor guys, they were doing what they had been told. Nothing I mention is secret, read the literature , it's all open source. OPSEC is a culture, not a protocol. Example, I can't hear anyone, so I automatically go clear. Now I can hear them. Oops.

 

[scanmanmi]

There is a lot a intelligence team can gather without ever even needing to decrypt the communications.

That is what NBC is reporting. Did Russian spies in the U.S. crack the FBI's radio codes?

You really have to ask yourself why this is even in the news:
It happens every day.
There is no law against receiving transmissions and geolocation.
They are pushing this so they can get additional funding.
Push Russia, Russia, Russia as our ultimate enemy.
Probably reinforce the ridiculous notion that Russia interfered with our elections.

 

[geoffb1723]

Hey Lindsey, long time man ! The P25 protocols are busted, critical components of the user ID/device ID (including data frame checksums etc ) are outside the crypto envelope, stupid. Agree, 90% of intel is from SIGINT OPS location/signals/other dev data, no need to break the crypto.

But, at the time the P25 protos were designed, ie 1990's, the compute load was not able to handle realtime controller DES (3DES) or (now) AES en/decode load of the full frame (loads of others issue as to broadcast frame headers/ keys etc) in real time, so it's not their fault from 1990, but it's easy now, you can now do a side channel leak attack (which this really is) against the protos. BTW, Moto certainly knows, their crypto group is second to none and has really expert folks, they are NOT stupid.. But the question is a balance among user pain using OPSsec vs realistic security. Which is what the RU noodles took advantage of ?

Rgds.. G

Best to all !

Go get a Brutalis box...uh oh !

 

[geoffb1723]

energy selective P25 system jam attacks using a Speak'n Spell toy. Matt at work again Long ago
https://repository.upenn.edu/cgi/viewcontent.cgi?article=1990&context=cis_reports Widely reported, so nothing new here.

 

[RFI-EMI-GUY]

I am reading a book called SpyCraft which details how US CIA agents in Moscow were tailed by KGB agents and how in the 70's the US agents used a special FM receiver SRR-100 (Likely made by Motorola) to eavesdrop on the KGB tails. later Radio Shack scanners were used. The premise was simple. If an agent was out making a dead drop and heard "chatter" by KGB agents on the channel, it was not a good day to be out and about. So listening to content was not as important as finding there was activity nearby.

 

[mike_s104]

My understanding is the other items potentially part of this equation was “PTT Cellular” which would translate to Nextel. Nextel PTT wasn’t encrypted and could easily be intercepted with a service monitor.

Edit: I don't believe that Nextel PTT exists anymore... but I'm not sure.

2nd Edit: Combine PTT cellular interception where they *could* most likely monitor and you've added another collection piece to the picture which would have given the Russians an enormous amount of info. The presence of encrypted AES-256 communications local to an area would indicate communications of enormous sensitivity occurring close by. If there were mediums used in the same area that could actually be monitored they could add that to the overall amount of collection info. Even innocuous communications that were intercepted that were not necessarily Top Secret or of national security concern would be extremely valuable to the Russians given the context.

Probably AT&T FirstNet with their PTT app.

 

[mike_s104]

My bets here are the Russians probably were tracking the encrypted simplex communications of the FBI's counterintelligence teams. I believe even in 2012 those would have been simplex P25 encrypted with AES-256.

If the Russians simply sent out a subject they suspected of being watched by the counter intelligence teams and then had their own teams monitor for encrypted P25 simplex comms within the general vicinity of the subject, they would know that the subject was indeed being watched.

Even though it's almost certain that the Russians were not able to actually decrypt AES-256 P25 transmissions, there are a number of key meta-data variables in the FBI's simplex P25 communications that would be available. The Unit ID of the portable radio, and the current KeyID of the AES-256 encryption. Presumably, the counter-intel teams had their own personnel assigned radios which have unique P25 unit IDs, and most likely had their own team unique AES encryption keys loaded into the radios.

If you couple the ability to monitor each of those metadata variables with knowing that simplex communications are short range (local to just you) and even employ some rudimentary DF (direction finding) capabilities into the equation, and it would be very simple for the Russians to determine which of their assets were being tracked by the FBIs counter-intel teams, and even possibly which individual agents were part of the tracking and close to the target (by cross-referencing P25 unit IDs)

Exactly what I was thinking too. Also, In the Northern VA area about 5 years ago I've heard FBI agents from the DC office working with agents from an office from NY (not exactly sure why). The two different teams would have the same radios/channels but one of them would have the wrong encryption keys so they would need to use in the clear. Also, when they would have aircraft helping out, the aircraft would be too far away and the P25 traffic would breakup so they would switch to analog.

 

[mike_s104]

Attached is a good example of how this process worked for the Russians.

This is a screenshot of DSDPlus sitting on an FBI simplex surveillance channel this morning in an area very local to me right now. I'm not going to say where exactly this was captured or what frequency... but, what can we ascertain here? Well, let's see:

1) All the communications are encrypted using P25 AES encryption with KeyID 5412
2) There are 4 agents on this surveillance with the following Unit IDs

3491016
3491037
3491098
3491306

This was just 15 minutes of monitoring a locally used FBI frequency, and watching and logging the traffic. I have no idea what they are saying, but if I was to use some pretty basic direction finding techniques I bet I could find the agents and their cars/aircraft and start putting unit IDs to faces and vehicles pretty quickly. Start to build a database of frequencies, unit IDs, and AES KeyIDs and a picture develops very quickly of what is going on.

Just imagine the picture you are able to develop just by adding the general location where this was monitored, and the frequency.

Then add in historical data such as which unit IDs have worked together over the past month, and where they have worked together and a complete picture begins to develop without ever having to listen to the agent's communications.

View attachment 75349

Something else I've done when I've found myself in the middle of a surveillance (no, I wasn't the subject of the surveillance but just at the right time and right place), you can at least match up the RID with the vehicle and/or agent as you see them using the radio even if it's encrypted. Later when you see that RID show up, you get an idea of what they are doing.